[liberationtech] scrambler

Bryan C. Geraghty bryan at ravensight.org
Fri Aug 30 11:17:57 PDT 2013 

We have experts in this field working on this problem. It's probably best
that you leave it to them. In the meantime, follow Seth's advice if you need
the strength of an OTP; do it manually.

 

Bryan

 

From: liberationtech-bounces at lists.stanford.edu
[mailto:liberationtech-bounces at lists.stanford.edu] On Behalf Of Michael
Hicks
Sent: Friday, August 30, 2013 12:51 PM
To: Michael Hicks; liberationtech
Subject: Re: [liberationtech] scrambler

 

Thank you so much we appreciate your opinion and facts. would you have any
recommendations? something we could fix? the whle purpose of this software
is to give the American people privacy and not have to worry about the NSA's
spying. 

 

  _____  

From: Michael Hicks <scramblerencryption at yahoo.com>
To: liberationtech <liberationtech at lists.stanford.edu> 
Sent: Friday, August 30, 2013 1:43 PM
Subject: Re: [liberationtech] scrambler

 

it's the purpose so that it is Unable to be hacked. trying to use complete
privacy for the American people. It's the same thing used by government we
know cuz our software designer works for DOD. 

 

  _____  

From: "konfkukor at riseup.net" <konfkukor at riseup.net>
To: liberationtech <liberationtech at lists.stanford.edu> 
Sent: Friday, August 30, 2013 6:33 AM
Subject: Re: [liberationtech] scrambler


I'm really astonished. The method he uses to implement the one-time pad is
plain ridiculous. A complete lookup table which maps each possible byte to
another is consumed per byte transferred, making the pad 256 times (which
could even be optimized to 255) larger than the message.

The author has no clue at all.

> Quoting the Scrambler website:
> "The drawback of the one-time cypher pad encryption method is that to
> encrypt a message without reusing the one-time cypher pad requires it to
> be 256 times the size of the message. Encrypting a one megabyte file
> without reusing the one-time cypher pad requires it to be 256 megabytes.
> While it is recommended that you do not reuse one-time cypher pads,
> Scrambler will do so."
>
> The author doesn't understand how to construct one-time pads, and flouts
> the most important rule of using them. Avoid this software like the
> plague.
>
> Cheers,
> Michael
>
> Seth David Schoen <schoen at eff.org> wrote:
>
>>Michael Hicks writes:
>>
>>> ok so I guess I just send u guys the links and u check out my software
>>> and Vet it? This was made for people to be able to protect their
>>> privacy and the NSA can't hack it No One can it's impossible. all the
>>> information is at scrambler.webs.com
>>
>>It's true that no one can crack a one-time pad, which your software
>>claims to implement.  A one-time pad might be useful for some people,
>>though it's possible that they shouldn't then use a computer to encrypt
>>and decrypt, because using a computer introduces new vulnerabilities
>>(like radiofrequency emanations and remote software exploits).
>>
>>There might still be cryptographic vulnerabilities in the random number
>>generation that your software uses.  There was recently a high-profile
>>vulnerability in the random number generation provided by the Java
>>implementation on Android, which allowed keys to be compromised.  If
>>there were a similar vulnerability in the Java implementations people
>>use with your software, it might have similar consequences -- which
>>might not be the fault of your software, but might still undermine its
>>security.
>>
>>A one-time pad is probably not very useful to most people who need to
>>communicate securely because they have to find a safe way, ahead of
>>time, to distribute and store the key material with each potential
>>party that they may communicate with.  That's a pretty heavy burden,
>>especially when people are meeting new contacts and wanting to
>>communicate with those contacts (without having been able to arrange
>>a prior physical key distribution).
>>
>>It also doesn't integrate easily with any form of communications
>>other than exchanging files, although it would be possible to extend
>>it to other things like e-mail or IM if you could manage the sequence
>>numbers properly to avoid reusing key material (something our existing
>>protocols don't really help with).
>>
>>If you read _Between Silk and Cyanide_, there's a good and interesting
>>historical account of wartime military use of one-time pads.  One of
>>the messages seems to be that it was quite expensive and cumbersome,
>>though perhaps well worth it for the particular application.  It's hard
>>to imagine many audiences prepared to actually bear these costs for
>>many of their communications today.  We already see people complaining
>>about the effort and overhead of things like PGP merely because some
>>aspects of the key management are made explicit to the user.  For
>>one-time pads _every_ aspect of key management is made explicit -- and
>>manual, and requiring the exchange of physical objects!
>>
>>My intuition is that people who feel that one-time pads are necessary
>>should probably learn to operate them by hand, the way the SOE agents
>>in that book did.
>>
>>--
>>Seth Schoen  <schoen at eff.org>
>>Senior Staff Technologist                      https://www.eff.org/
>>Electronic Frontier Foundation                  https://www.eff.org/join
>>815 Eddy Street, San Francisco, CA  94109      +1 415 436 9333 x107
>>--
>>Liberationtech is a public list whose archives are searchable on Google.
>> Violations of list guidelines will get you moderated:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
>> Unsubscribe, change to digest, or change password by emailing moderator
>> at companys at stanford.edu.
> --
> Liberationtech is a public list whose archives are searchable on Google.
> Violations of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
<https://mailman.stanford.edu/mailman/listinfo/liberationtech.> Unsubscribe,
> change to digest, or change password by emailing moderator at
> companys at stanford.edu.
>


-- 
Liberationtech is a public list whose archives are searchable on Google.
Violations of list guidelines will get you moderated:
https://mailman.stanford.edu/mailman/listinfo/liberationtech.
<https://mailman.stanford.edu/mailman/listinfo/liberationtech.> Unsubscribe,
change to digest, or change password by emailing moderator at
companys at stanford.edu.




-- 
Liberationtech is a public list whose archives are searchable on Google.
Violations of list guidelines will get you moderated:
https://mailman.stanford.edu/mailman/listinfo/liberationtech.
<https://mailman.stanford.edu/mailman/listinfo/liberationtech.> Unsubscribe,
change to digest, or change password by emailing moderator at
companys at stanford.edu.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130830/689288c7/attachment.html>

More information about the liberationtech mailing list